Null-dereference READ in blink::CSSToLengthConversionData::ZoomedComputedPixels |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5147540737228800 Fuzzer: inferno_twister Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000020 Crash State: blink::CSSToLengthConversionData::ZoomedComputedPixels blink::CSSPrimitiveValue::ConvertToLength blink::StyleBuilderConverter::ConvertLength Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=598931:598957 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5147540737228800 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 13
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/150a1839886ffde6659dbc249f942d7868096390 (Bail out of computing style for invisible elements). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Nov 14
I'm pretty sure this isn't related to my change.
,
Nov 14
Unable to find actual suspect through code search and also observing no CL's under regression range, hence adding appropriate label and requesting someone from dev team to look in to this issue. Thanks!
,
Nov 14
rakina@, reverting your change fixes the crasher.
,
Nov 14
Oops you're right, sorry. Investigating...
,
Nov 21
So somehow we ended up calling Font::PrimaryFont while the |font_fallback_list_| is null. I'm not sure when the |font_fallback_list_| is supposed to be set, and how it relates to the ComputedStyle of invisible elements (regression happens after moving it to Element::StyleForLayoutObject https://chromium-review.googlesource.com/c/chromium/src/+/1276066) futhark@, do you have any ideas?
,
Nov 21
StyleResolver::UpdateFont() normally sets up fonts during style resolving. StyleResolver::InitialStyleForElement does this for the initial styles. You can probably use StyleResolver::InitialStyleForElement() instead of ComputedStyle::Create() or take what you need from there.
,
Nov 22
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5a003d5c1d58bb77e0ccccfadc7b84edad0b4839 commit 5a003d5c1d58bb77e0ccccfadc7b84edad0b4839 Author: Rakina Zata Amni <rakina@chromium.org> Date: Thu Nov 22 06:33:03 2018 Use InitialStyleForElement for invisible elements We previously used ComputedStyle::Create when creating ComputedStyle for invisible elements, but the ComputedStyle made with that lacks some setup needed for it to actually be usable correctly. Example case is the style's font fallback list is not set, leading to some crashes. Bug: 904791 Change-Id: I512082af6dcf7a5076eb033a2f9a78b83020e47e Reviewed-on: https://chromium-review.googlesource.com/c/1345952 Commit-Queue: Rakina Zata Amni <rakina@chromium.org> Reviewed-by: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/heads/master@{#610322} [modify] https://crrev.com/5a003d5c1d58bb77e0ccccfadc7b84edad0b4839/third_party/blink/renderer/core/css/resolver/style_resolver.h [modify] https://crrev.com/5a003d5c1d58bb77e0ccccfadc7b84edad0b4839/third_party/blink/renderer/core/dom/element.cc
,
Nov 22
ClusterFuzz has detected this issue as fixed in range 610320:610323. Detailed report: https://clusterfuzz.com/testcase?key=5147540737228800 Fuzzer: inferno_twister Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000020 Crash State: blink::CSSToLengthConversionData::ZoomedComputedPixels blink::CSSPrimitiveValue::ConvertToLength blink::StyleBuilderConverter::ConvertLength Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=598931:598957 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=610320:610323 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5147540737228800 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22
ClusterFuzz testcase 5147540737228800 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Nov 13Labels: Test-Predator-Auto-Components